- A number of significant reforms to privacy law commence in 2018. Legal practitioners will need to consider the impact on clients, as well as on the operation of their own legal practices.
- The changes will affect all medium-large Australian businesses; some smaller businesses; all Australian government agencies; and to a lesser extent State and Territory agencies and small businesses in their capacity as employers.
- The changes include mandatory notification of data breaches, the extension of European data protection law to Australia, and new rules designed to bring about cultural change across the public sector.
Although unrelated to each other, three significant legal reforms will each commence in 2018, impacting on the manner in which organisations handle personal information. The reforms, spread throughout the year, are:
- mandatory notification of data breaches under the Privacy Act 1988 (Cth);
- the General Data Protection Regulation (‘GDPR’), a European privacy law with extra-territorial reach into Australia; and
- the Australian Government Agencies Privacy Code.
February 2018 – Notifiable data breaches
Who is affected
Commencing 22 February, amendments to Part IIIC of the Privacy Act 1988 (Cth) will affect almost every organisation in Australia in some way:
- All entities already required to comply with the 13 Australian Privacy Principles (‘APPs’), which includes all Australian government agencies, almost all businesses and non-profits with a turnover of more than $3M pa, plus some smaller businesses such as health service providers and contracted service providers to the Commonwealth;
- All organisations which receive Tax File Numbers (‘TFNs’) – which will include bodies not regulated by the APPs, such as State and Territory agencies and most small businesses, in their capacity as employers; and
- Credit providers and credit reporting bodies.